commit 3ac4e26b2cc43180661453851174f40a1292da09 Author: Chris Wright Date: Wed Jan 10 11:10:37 2007 -0800 Linux 2.6.19.2 commit 8e609d9efea47564c000d486f558d0c0aba8617e Author: Peter Zijlstra Date: Fri Dec 22 14:25:52 2006 +0100 [PATCH] Fix up page_mkclean_one(): virtual caches, s390 - add flush_cache_page() for all those virtual indexed cache architectures. - handle s390. Signed-off-by: Peter Zijlstra Signed-off-by: Linus Torvalds [chrisw: fold in d6e88e671ac1] Signed-off-by: Chris Wright commit e26353af7096103cec474473cbd81dc4190bba77 Author: Linus Torvalds Date: Sat Dec 16 09:44:32 2006 -0800 [PATCH] Fix incorrect user space access locking in mincore() (CVE-2006-4814) Doug Chapman noticed that mincore() will doa "copy_to_user()" of the result while holding the mmap semaphore for reading, which is a big no-no. While a recursive read-lock on a semaphore in the case of a page fault happens to work, we don't actually allow them due to deadlock schenarios with writers due to fairness issues. Doug and Marcel sent in a patch to fix it, but I decided to just rewrite the mess instead - not just fixing the locking problem, but making the code smaller and (imho) much easier to understand. Cc: Doug Chapman Cc: Marcel Holtmann Cc: Hugh Dickins Cc: Andrew Morton [chrisw: fold in subsequent fix: 4fb23e439ce0] Acked-by: Hugh Dickins [chrisw: fold in subsequent fix: 825020c3866e] Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 85a181bb8fbaf93019651dbfa5034788b7164fa1 Author: Hugh Dickins Date: Fri Jan 5 16:37:03 2007 -0800 [PATCH] fix OOM killing of swapoff These days, if you swapoff when there isn't enough memory, OOM killer gives "BUG: scheduling while atomic" and the machine hangs: badness() needs to do its PF_SWAPOFF return after the task_unlock (tasklist_lock is also held here, so p isn't going to be freed: PF_SWAPOFF might get turned off at any moment, but that doesn't really matter). Signed-off-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit dd2b609d2317fb243cc01eb984c91cc639a84d28 Author: Erik Jacobson Date: Fri Jan 5 16:37:05 2007 -0800 [PATCH] connector: some fixes for ia64 unaligned access errors On ia64, the various functions that make up cn_proc.c cause kernel unaligned access errors. If you are using these, for example, to get notification about all tasks forking and exiting, you get multiple unaligned access errors per process. Use put_unaligned() in the appropriate palces to fix this. Signed-off-by: Erik Jacobson Cc: Evgeniy Polyakov Cc: Tony Luck Cc: Cc: "David S. Miller" Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit ddf14e7a76a071c034aaeb71ed6aab4084c9bf7c Author: Paul Moore Date: Mon Dec 18 13:07:29 2006 -0500 [PATCH] NetLabel: correctly fill in unused CIPSOv4 level and category mappings Back when the original NetLabel patches were being changed to use Netlink attributes correctly some code was accidentially dropped which set all of the undefined CIPSOv4 level and category mappings to a sentinel value. The result is the mappings data in the kernel contains bogus mappings which always map to zero. Having level and category mappings that map to zero could result in the kernel assigning incorrect security attributes to packets. This patch restores the old/correct behavior by initializing the mapping data to the correct sentinel value. Signed-off-by: Paul Moore Signed-off-by: Chris Wright commit a44a397980a37ecd619b46d40ed39aa76c14f3d6 Author: David Hollis Date: Fri Jan 5 12:34:05 2007 -0500 [PATCH] asix: Fix typo for AX88772 PHY Selection The attached patch fixes a PHY selection problem that prevents AX88772 based devices (Linksys USB200Mv2, etc) devices from working. The interface comes up and everything seems fine except the device doesn't send/receive any packets. The one-liner attached fixes this issue and makes the devices usable again. Signed-off-by: David Hollis Signed-off-by: Chris Wright commit edfe21a29b1dca9ce5a938317868066d2e21c385 Author: David L Stevens Date: Thu Jan 4 17:07:34 2007 -0800 [PATCH] IPV4/IPV6: Fix inet{,6} device initialization order. It is important that we only assign dev->ip{,6}_ptr only after all portions of the inet{,6} are setup. Otherwise we can receive packets before the multicast spinlocks et al. are initialized. Signed-off-by: David L Stevens Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 685478871654867116230498eb6ad263b0be72b8 Author: David Miller Date: Thu Jan 4 17:04:31 2007 -0800 [PATCH] SOUND: Sparc CS4231: Use 64 for period_bytes_min This matches what the ISA cs4231 driver uses. Tested by Georg Chini. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit e818d1282c8abbda0764c537db19fc09925bc881 Author: Georg Chini Date: Thu Jan 4 17:03:38 2007 -0800 [PATCH] SOUND: Sparc CS4231: Fix IRQ return value and initialization. SBUS: Change IRQ-handler return value from 0 to IRQ_HANDLED and fix some initialisation problems. Change period_bytes_min from 4096 to 256 to allow driver to work with low latency (VOIP) applications. Hope this does not break EBUS. Signed-off-by: Georg Chini Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit ff6173b1de40f8b0341c18a8e12414a59bcf7f52 Author: Chuck Ebbert <76306.1226@compuserve.com> Date: Thu Jan 4 02:59:56 2007 -0500 [PATCH] ebtables: don't compute gap before checking struct type We cannot compute the gap until we know we have a 'struct ebt_entry' and not 'struct ebt_entries'. Failure to check can cause crash. Tested-by: Santiago Garcia Mantinan Acked-by: Al Viro Acked-by: Patrick McHardy Signed-off-by: Chuck Ebbert <76306.1226@compuserve.com> Signed-off-by: Chris Wright commit c68cacc6bc902217988302f966a47fe184f3eaa1 Author: Jean Delvare Date: Wed Jan 3 23:21:03 2007 -0500 [PATCH] V4L: cx88: Fix leadtek_eeprom tagging reference to .init.text: from .text between 'cx88_card_setup' (at offset 0x68c) and 'cx88_risc_field' Caused by leadtek_eeprom() being declared __devinit and called from a non-devinit context. Signed-off-by: Jean Delvare Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Chris Wright commit eba2a8ec583b36e288d51b9cd7c24c0a72c61975 Author: Ang Way Chuang Date: Wed Jan 3 23:20:48 2007 -0500 [PATCH] dvb-core: fix bug in CRC-32 checking on 64-bit systems CRC-32 checking during ULE decapsulation always failed on x86_64 systems due to the size of a variable used to store CRC. This bug was discovered on Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such problem. This patch has been tested on 64-bit system as well as 32-bit system. Signed-off-by: Ang Way Chuang Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Chris Wright commit 3d393b5812f3e89ed704493c4d3db124d300e1e6 Author: Hans Verkuil Date: Wed Jan 3 23:20:55 2007 -0500 [PATCH] V4L: cx2341x: audio_properties is an u16, not u8 This bug broke the MPEG audio mode controls. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Chris Wright commit 54e25b0460e6b1100e7ef9c0ac801bdce83921c0 Author: Linus Torvalds Date: Fri Dec 29 10:00:58 2006 -0800 [PATCH] VM: Fix nasty and subtle race in shared mmap'ed page writeback The VM layer (on the face of it, fairly reasonably) expected that when it does a ->writepage() call to the filesystem, it would write out the full page at that point in time. Especially since it had earlier marked the whole page dirty with "set_page_dirty()". But that isn't actually the case: ->writepage() does not actually write a page, it writes the parts of the page that have been explicitly marked dirty before, *and* that had not got written out for other reasons since the last time we told it they were dirty. That last caveat is the important one. Which _most_ of the time ends up being the whole page (since we had called "set_page_dirty()" on the page earlier), but if the filesystem had done any dirty flushing of its own (for example, to honor some internal write ordering guarantees), it might end up doing only a partial page IO (or none at all) when ->writepage() is actually called. That is the correct thing in general (since we actually often _want_ only the known-dirty parts of the page to be written out), but the shared dirty page handling had implicitly forgotten about these details, and had a number of cases where it was doing just the "->writepage()" part, without telling the low-level filesystem that the whole page might have been re-dirtied as part of being mapped writably into user space. Since most of the time the FS did actually write out the full page, we didn't notice this for a loong time, and this needed some really odd patterns to trigger. But it caused occasional corruption with rtorrent and with the Debian "apt" database, because both use shared mmaps to update the end result. This fixes it. Finally. After way too much hair-pulling. Acked-by: Nick Piggin Acked-by: Martin J. Bligh Acked-by: Martin Michlmayr Acked-by: Martin Johansson Acked-by: Ingo Molnar Acked-by: Andrei Popa Cc: High Dickins Cc: Andrew Morton , Cc: Peter Zijlstra Cc: Segher Boessenkool Cc: David Miller Cc: Arjan van de Ven Cc: Gordon Farquharson Cc: Guillaume Chazarain Cc: Theodore Tso Cc: Kenneth Cheng Cc: Tobias Diedrich Signed-off-by: Linus Torvalds [chrisw: backport to 2.6.19.1] Signed-off-by: Chris Wright commit 4a213fb9c3aa28047a7a8ec78999878feb71a17b Author: Jan Andersson Date: Tue Jan 2 00:09:25 2007 -0800 [PATCH] sparc32: add offset in pci_map_sg() Add sg->offset to sg->dvma_address in pci_map_sg() on sparc32. Without the offset, transfers to buffers that do not begin on a page boundary will not work as expected. Signed-off-by: Jan Andersson Cc: "David S. Miller" Cc: William Lee Irwin III Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 6aa513624c75f67c22f3ae094644dd458bdc0204 Author: David Woodhouse Date: Tue Jan 2 00:07:50 2007 -0800 [PATCH] NET: Don't export linux/random.h outside __KERNEL__ Don't add it there please; add it lower down inside the existing #ifdef __KERNEL__. You just made the _userspace_ net.h include random.h, which then fails to compile unless was already included. Signed-off-by: David Woodhouse Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 5abbb71b50d4a81b1a95e2f6f95c96db1931f42a Author: David Miller Date: Tue Jan 2 00:06:00 2007 -0800 [PATCH] SPARC64: Handle ISA devices with no 'regs' property. And this points out that the return value from isa_dev_get_resource() and the 'pregs' arg to isa_dev_get_irq() are totally unused. Based upon a patch from Richard Mortimer Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit bbcbb9a470f9dc18fba57f42febd3036924e5aff Author: David Miller Date: Tue Jan 2 00:03:37 2007 -0800 [PATCH] SPARC64: Fix "mem=xxx" handling. We were not being careful enough. When we trim the physical memory areas, we have to make sure we don't remove the kernel image or initial ramdisk image ranges. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 681f19c638245198eeefc861b10d9b83c313ac26 Author: Robert Olsson Date: Mon Jan 1 21:04:19 2007 -0800 [PATCH] PKTGEN: Fix module load/unload races. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 8d312ae11257a259d78e122fd73274b8ef4789d1 Author: Eric Sandeen Date: Sat Dec 30 18:30:32 2006 -0500 [PATCH] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054) This one was pointed out on the MOKB site: http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html If a directory's i_size is corrupted, ext2_find_entry() will keep processing pages until the i_size is reached, even if there are no more blocks associated with the directory inode. This patch puts in some minimal sanity-checking so that we don't keep checking pages (and issuing errors) if we know there can be no more data to read, based on the block count of the directory inode. This is somewhat similar in approach to the ext3 patch I sent earlier this year. Signed-off-by: Eric Sandeen Signed-off-by: Chris Wright commit fe89cf78648bf9f87b7fb26c4a7d3bc410718f06 Author: Phillip Lougher Date: Sat Dec 30 18:28:06 2006 -0500 [PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823) Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops is an unchecked corrupted block length field read by cramfs_readpage(). This patch adds a sanity check to cramfs_readpage() which checks that the block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is intentional, even though the uncompressed data is not going to be larger than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than the original source data. Mkcramfs checks that the compressed size is always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could use the original uncompressed data in this case, but it doesn't. Signed-off-by: Phillip Lougher Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit eaca4fd8265aa05c5b07aaa425e058abd0aa38d5 Author: Eric Sandeen Date: Sat Dec 30 18:22:07 2006 -0500 [PATCH] handle ext3 directory corruption better (CVE-2006-6053) I've been using Steve Grubb's purely evil "fsfuzzer" tool, at http://people.redhat.com/sgrubb/files/fsfuzzer-0.4.tar.gz Basically it makes a filesystem, splats some random bits over it, then tries to mount it and do some simple filesystem actions. At best, the filesystem catches the corruption gracefully. At worst, things spin out of control. As you might guess, we found a couple places in ext3 where things spin out of control :) First, we had a corrupted directory that was never checked for consistency... it was corrupt, and pointed to another bad "entry" of length 0. The for() loop looped forever, since the length of ext3_next_entry(de) was 0, and we kept looking at the same pointer over and over and over and over... I modeled this check and subsequent action on what is done for other directory types in ext3_readdir... (adding this check adds some computational expense; I am testing a followup patch to reduce the number of times we check and re-check these directory entries, in all cases. Thanks for the idea, Andreas). Next we had a root directory inode which had a corrupted size, claimed to be > 200M on a 4M filesystem. There was only really 1 block in the directory, but because the size was so large, readdir kept coming back for more, spewing thousands of printk's along the way. Per Andreas' suggestion, if we're in this read error condition and we're trying to read an offset which is greater than i_blocks worth of bytes, stop trying, and break out of the loop. With these two changes fsfuzz test survives quite well on ext3. Signed-off-by: Eric Sandeen Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 8cda74c46c47345d887477801ef137d72f38a249 Author: Ulrich Kunitz Date: Sat Dec 30 16:35:17 2006 -0500 [PATCH] zd1211rw: Call ieee80211_rx in tasklet The driver called ieee80211_rx in hardware interrupt context. This has been against the intention of the ieee80211_rx function. It caused a bug in the crypto routines used by WPA. This patch calls ieee80211_rx in a tasklet. Signed-off-by: Ulrich Kunitz Signed-off-by: Andrew Morton Signed-off-by: John W. Linville Signed-off-by: Chris Wright commit 39e06a69f7e3a16415c7e53bad1d7fa9257baaa1 Author: Ulrich Kunitz Date: Sat Dec 30 16:18:14 2006 -0500 [PATCH] softmac: Fixed handling of deassociation from AP In 2.6.19 a deauthentication from the AP doesn't start a reassociation by the softmac code. It appears that mac->associnfo.associating must be set and the ieee80211softmac_assoc_work function must be scheduled. This patch fixes that. Signed-off-by: Ulrich Kunitz Signed-off-by: John W. Linville Signed-off-by: Chris Wright commit cb5dad8b96734e7f92160e389794ca8d9b58da2d Author: Shantanu Goel Date: Fri Dec 29 16:48:59 2006 -0800 [PATCH] Buglet in vmscan.c Fix a rather obvious buglet. Noticed while instrumenting the VM using /proc/vmstat. Cc: Christoph Lameter Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit d0b18e5c89b42697dd2d5af55f4efc430b0586b1 Author: Dimitri Gorokhovik Date: Fri Dec 29 16:48:24 2006 -0800 [PATCH] ramfs breaks without CONFIG_BLOCK ramfs doesn't provide the .set_dirty_page a_op, and when the BLOCK layer is not configured in, 'set_page_dirty' makes a call via a NULL pointer. Signed-off-by: Dimitri Gorokhovik Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit abf56f5ea98c71722511e37d321982013123dbbf Author: Shaohua Li Date: Sat Dec 23 21:39:08 2006 -0500 [PATCH] i386: CPU hotplug broken with 2GB VMSPLIT In VMSPLIT mode, kernel PGD might have more entries than user space Signed-off-by: Shaohua Li Signed-off-by: Chris Wright commit 6e7e241df766e1a6c2d505df5e14b593a0e63bb4 Author: Mike Miller Date: Sat Dec 23 15:11:58 2006 -0500 [PATCH] cciss: fix XFER_READ/XFER_WRITE in do_cciss_request This patch fixes a stupid bug. Sometime during the 2tb enhancement I ended up replacing the macros XFER_READ and XFER_WRITE with h->cciss_read and h->cciss_write respectively. It seemed to work somehow at least on x86_64 and ia64. I don't know how. But people started complaining about command timeouts on older controllers like the 64xx series and only on ia32. This resolves the issue reproduced in our lab. Please consider this for inclusion. Signed-off-by: Mike Miller Signed-off-by: Chris Wright commit 3629bc276335cfc6650c6b7119ea8b1e2518ec6c Author: David Miller Date: Fri Dec 22 11:56:21 2006 -0800 [PATCH] UDP: Fix reversed logic in udp_get_port() When this code was converted to use sk_for_each() the logic for the "best hash chain length" code was reversed, breaking everything. The original code was of the form: size = 0; do { if (++size >= best_size_so_far) goto next; } while ((sk = sk->next) != NULL); best_size_so_far = size; best = result; next:; and this got converted into: sk_for_each(sk2, node, head) if (++size < best_size_so_far) { best_size_so_far = size; best = result; } Which does something very very different from the original. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 31ce2d6a3a9a9164cb535d64f7ce2eb2e3f1debe Author: Ed L Cashin Date: Fri Dec 22 01:09:21 2006 -0800 [PATCH] fix aoe without scatter-gather [Bug 7662] Fix a bug that only appears when AoE goes over a network card that does not support scatter-gather. The headers in the linear part of the skb appeared to be larger than they really were, resulting in data that was offset by 24 bytes. This patch eliminates the offset data on cards that don't support scatter-gather or have had scatter-gather turned off. There remains an unrelated issue that I'll address in a separate email. Fixes bugzilla #7662 Signed-off-by: "Ed L. Cashin" Cc: Cc: Greg KH Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 3cca577748fc50b94c9007b49b6f2bdce2677ee0 Author: Vitaly Wool Date: Fri Dec 22 01:08:24 2006 -0800 [PATCH] smc911x: fix netpoll compilation faliure Fix the compilation failure for smc911x.c when NET_POLL_CONTROLLER is set. Signed-off-by: Vitaly Wool Cc: Jeff Garzik Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit cb57fcaf9b8c1946aa1e436821a7a4901dc926d0 Author: Badari Pulavarty Date: Fri Dec 22 01:06:23 2006 -0800 [PATCH] Fix for shmem_truncate_range() BUG_ON() Ran into BUG() while doing madvise(REMOVE) testing. If we are punching a hole into shared memory segment using madvise(REMOVE) and the entire hole is below the indirect blocks, we hit following assert. BUG_ON(limit <= SHMEM_NR_DIRECT); Signed-off-by: Badari Pulavarty Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 9ba9b18addcee8b7be8877727738f59a9fd37b29 Author: Ingo Molnar Date: Thu Dec 21 13:20:30 2006 +0100 [PATCH] sched: fix bad missed wakeups in the i386, x86_64, ia64, ACPI and APM idle code Fernando Lopez-Lezcano reported frequent scheduling latencies and audio xruns starting at the 2.6.18-rt kernel, and those problems persisted all until current -rt kernels. The latencies were serious and unjustified by system load, often in the milliseconds range. After a patient and heroic multi-month effort of Fernando, where he tested dozens of kernels, tried various configs, boot options, test-patches of mine and provided latency traces of those incidents, the following 'smoking gun' trace was captured by him: _------=> CPU# / _-----=> irqs-off | / _----=> need-resched || / _---=> hardirq/softirq ||| / _--=> preempt-depth |||| / ||||| delay cmd pid ||||| time | caller \ / ||||| \ | / IRQ_19-1479 1D..1 0us : __trace_start_sched_wakeup (try_to_wake_up) IRQ_19-1479 1D..1 0us : __trace_start_sched_wakeup <<...>-5856> (37 0) IRQ_19-1479 1D..1 0us : __trace_start_sched_wakeup (c01262ba 0 0) IRQ_19-1479 1D..1 0us : resched_task (try_to_wake_up) IRQ_19-1479 1D..1 0us : __spin_unlock_irqrestore (try_to_wake_up) ... -0 1...1 11us!: default_idle (cpu_idle) ... -0 0Dn.1 602us : smp_apic_timer_interrupt (c0103baf 1 0) ... <...>-5856 0D..2 618us : __switch_to (__schedule) <...>-5856 0D..2 618us : __schedule <-0> (20 162) <...>-5856 0D..2 619us : __spin_unlock_irq (__schedule) <...>-5856 0...1 619us : trace_stop_sched_switched (__schedule) <...>-5856 0D..1 619us : trace_stop_sched_switched <<...>-5856> (37 0) what is visible in this trace is that CPU#1 ran try_to_wake_up() for PID:5856, it placed PID:5856 on CPU#0's runqueue and ran resched_task() for CPU#0. But it decided to not send an IPI that no CPU - due to TS_POLLING. But CPU#0 never woke up after its NEED_RESCHED bit was set, and only rescheduled to PID:5856 upon the next lapic timer IRQ. The result was a 600+ usecs latency and a missed wakeup! the bug turned out to be an idle-wakeup bug introduced into the mainline kernel this summer via an optimization in the x86_64 tree: commit 495ab9c045e1b0e5c82951b762257fe1c9d81564 Author: Andi Kleen Date: Mon Jun 26 13:59:11 2006 +0200 [PATCH] i386/x86-64/ia64: Move polling flag into thread_info_status During some profiling I noticed that default_idle causes a lot of memory traffic. I think that is caused by the atomic operations to clear/set the polling flag in thread_info. There is actually no reason to make this atomic - only the idle thread does it to itself, other CPUs only read it. So I moved it into ti->status. the problem is this type of change: if (!hlt_counter && boot_cpu_data.hlt_works_ok) { - clear_thread_flag(TIF_POLLING_NRFLAG); + current_thread_info()->status &= ~TS_POLLING; smp_mb__after_clear_bit(); while (!need_resched()) { local_irq_disable(); this changes clear_thread_flag() to an explicit clearing of TS_POLLING. clear_thread_flag() is defined as: clear_bit(flag, &ti->flags); and clear_bit() is a LOCK-ed atomic instruction on all x86 platforms: static inline void clear_bit(int nr, volatile unsigned long * addr) { __asm__ __volatile__( LOCK_PREFIX "btrl %1,%0" hence smp_mb__after_clear_bit() is defined as a simple compile barrier: #define smp_mb__after_clear_bit() barrier() but the explicit TS_POLLING clearing introduced by the patch: + current_thread_info()->status &= ~TS_POLLING; is not an atomic op! So the clearing of the TS_POLLING bit is freely reorderable with the reading of the NEED_RESCHED bit - and both now reside in different memory addresses. CPU idle wakeup very much depends on ordered memory ops, the clearing of the TS_POLLING flag must always be done before we test need_resched() and hit the idle instruction(s). [Symmetrically, the wakeup code needs to set NEED_RESCHED before it tests the TS_POLLING flag, so memory ordering is paramount.] Fernando's dual-core Athlon64 system has a sufficiently advanced memory ordering model so that it triggered this scenario very often. ( And it also turned out that the reason why these latencies never triggered on my testsystems is that i routinely use idle=poll, which was the only idle variant not affected by this bug. ) The fix is to change the smp_mb__after_clear_bit() to an smp_mb(), to act as an absolute barrier between the TS_POLLING write and the NEED_RESCHED read. This affects almost all idling methods (default, ACPI, APM), on all 3 x86 architectures: i386, x86_64, ia64. Signed-off-by: Ingo Molnar Tested-by: Fernando Lopez-Lezcano [chrisw: backport to 2.6.19.1] Signed-off-by: Chris Wright commit 2be250f7cb8b1b4ae1d4732795d952e49ea32145 Author: Dirk Eibach Date: Wed Dec 20 08:34:43 2006 +0100 [PATCH] i2c: fix broken ds1337 initialization On a custom board with ds1337 RTC I found that upgrade from 2.6.15 to 2.6.18 broke RTC support. The main problem are changes to ds1337_init_client(). When a ds1337 recognizes a problem (e.g. power or clock failure) bit 7 in status register is set. This has to be reset by writing 0 to status register. But since there are only 16 byte written to the chip and the first byte is interpreted as an address, the status register (which is the 16th) is never written. The other problem is, that initializing all registers to zero is not valid for day, date and month register. Funny enough this is checked by ds1337_detect(), which depends on this values not being zero. So then treated by ds1337_init_client() the ds1337 is not detected anymore, whereas the failure bit in the status register is still set. Broken by commit f9e8957937ebf60d22732a5ca9130f48a7603f60 (2.6.16-rc1, 2006-01-06). This fix is in Linus' tree since 2.6.20-rc1 (commit 763d9c046a2e511ec090a8986d3f85edf7448e7e). Signed-off-by: Dirk Stieler Signed-off-by: Dirk Eibach Signed-off-by: Jean Delvare Signed-off-by: Chris Wright commit d4ea7f9f5554d94dcb8a630f470c724d05e8f112 Author: Marcel Holtmann Date: Mon Dec 11 15:18:24 2006 +0100 [PATCH] Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106) With malformed packets it might be possible to overwrite internal CMTP and CAPI data structures. This patch adds additional length checks to prevent these kinds of remote attacks. Signed-off-by: Marcel Holtmann Signed-off-by: Chris Wright commit f73237921bbbffaf0e338ef018726980a5483baa Author: Tejun Heo Date: Sat Dec 16 20:02:32 2006 +0900 [PATCH] SCSI: add missing cdb clearing in scsi_execute() Clear-garbage-after-CDB patch missed scsi_execute() and it causes some ODDs (HL-DT-ST DVD-RAM GSA-H30N) choke during SCSI scan. Note that this patch is only for -stable. There is another more reliable fix for this problem proposed for devel tree. http://thread.gmane.org/gmane.linux.ide/14605/focus=14605 Signed-off-by: Tejun Heo Cc: Jens Axboe Cc: Douglas Gilbert Signed-off-by: Chris Wright commit 5033031c3a98f3c1169745c341dbb7342b24e2a1 Author: Roland Dreier Date: Fri Dec 15 20:58:14 2006 -0800 [PATCH] IB/srp: Fix FMR mapping for 32-bit kernels and addresses above 4G struct srp_device.fmr_page_mask was unsigned long, which means that the top part of addresses above 4G was being chopped off on 32-bit architectures. Of course nothing good happens when data from SRP targets is DMAed to the wrong place. Fix this by changing fmr_page_mask to u64, to match the addresses actually used by IB devices. Thanks to Brian Cain and David McMillen for help diagnosing the bug and testing the fix. Signed-off-by: Roland Dreier Signed-off-by: Chris Wright commit fb0ddf36bdfec06438610afd1e44e40b6de06e55 Author: Tim Chen Date: Wed Dec 13 14:17:58 2006 -0800 [PATCH] sched: remove __cpuinitdata anotation to cpu_isolated_map The structure cpu_isolated_map is used not only during initialization. Multi-core scheduler configuration changes and exclusive cpusets use this during run time. During setting of sched_mc_power_savings policy, this structure is accessed to update sched_domains. Signed-off-by: Tim Chen Acked-by: Suresh Siddha Acked-by: Ingo Molnar Signed-off-by: Chris Wright commit 4a40b99aa9d8e4354b6d99a928e7141ab18c1842 Author: Russell King Date: Wed Dec 13 14:12:15 2006 +0000 [PATCH] ARM: Add sys_*at syscalls Later glibc requires the *at syscalls. Add them. Signed-off-by: Russell King Signed-off-by: Chris Wright commit 57696190149bc88eacc5e911cd7298cec144503e Author: Roman Zippel Date: Tue Dec 12 23:04:19 2006 -0500 [PATCH] kbuild: don't put temp files in source The as-instr/ld-option need to create temporary files, but create them in the output directory, when compiling external modules. Reformat them a bit and use $(CC) instead of $(AS) as the former is used by kbuild to assemble files. Signed-off-by: Roman Zippel Cc: Andi Kleen Cc: Jan Beulich Cc: Sam Ravnborg Cc: Cc: Horst Schirmeier Cc: Daniel Drake Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 459593b95acfee630b5c8a33e674d1a802a5b6c7 Author: Stefan Richter Date: Tue Dec 12 23:00:16 2006 -0500 [PATCH] ieee1394: ohci1394: add PPC_PMAC platform code to driver probe Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7431 iBook G3 threw a machine check exception and put the display backlight to full brightness after ohci1394 was unloaded and reloaded. Signed-off-by: Stefan Richter [dsd@gentoo.org: also added missing if condition, commit 63cca59e89892497e95e1e9c7156d3345fb7e2e8] Signed-off-by: Daniel Drake Acked-by: Stefan Richter Signed-off-by: Chris Wright commit a1803540413ea466bca67803cf71d9339e48bfb6 Author: Tejun Heo Date: Tue Dec 12 22:58:48 2006 -0500 [PATCH] libata: handle 0xff status properly libata waits for !BSY even when the status register reports 0xff. This causes long boot delays when D8 isn't pulled down properly. This patch does the followings. * don't wait if status register is 0xff in all wait functions * make ata_busy_sleep() return 0 on success and -errno on failure. -ENODEV is returned on 0xff status and -EBUSY on other failures. * make ata_bus_softreset() succeed on 0xff status. 0xff status is not reset failure. It indicates no device. This removes unnecessary retries on such ports. Note that the code change assumes unoccupied port reporting 0xff status does not produce valid device signature. Signed-off-by: Tejun Heo Cc: Joe Jin Signed-off-by: Jeff Garzik Signed-off-by: Chris Wright commit a151f5843d0a34013d9c5ebffd7f9be838699c24 Author: John W. Linville Date: Tue Dec 12 22:56:17 2006 -0500 [PATCH] Revert "[PATCH] zd1211rw: Removed unneeded packed attributes" This reverts commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7. Quoth Daniel Drake : "A user reported that commit 4e1bbd846d00a245dcf78b6b331d8a9afed8e6d7 (Remove unneeded packed attributes) breaks the zd1211rw driver on ARM." Signed-off-by: John W. Linville Signed-off-by: Chris Wright commit f37a67a156387c252dcb3e0c00a7d0258c01cbc0 Author: Hans Verkuil Date: Tue Dec 12 00:36:39 2006 -0500 [PATCH] V4L: Fix broken TUNER_LG_NTSC_TAPE radio support The TUNER_LG_NTSC_TAPE is identical in all respects to the TUNER_PHILIPS_FM1236_MK3. So use the params struct for the Philips tuner. Also add this LG_NTSC_TAPE tuner to the switches where radio specific parameters are set so it behaves like a TUNER_PHILIPS_FM1236_MK3. This change fixes the radio support for this tuner (the wrong bandswitch byte was used). Thanks to Andy Walls for finding this bug. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Chris Wright commit 65bb9cf40ced907192d65298c37b0fd1f559e301 Author: Michael Krufky Date: Tue Dec 12 00:34:27 2006 -0500 [PATCH] DVB: lgdt330x: fix signal / lock status detection bug In some cases when using VSB, the AGC status register has been known to falsely report "no signal" when in fact there is a carrier lock. The datasheet labels these status flags as QAM only, yet the lgdt330x module is using these flags for both QAM and VSB. This patch allows for the carrier recovery lock status register to be tested, even if the agc signal status register falsely reports no signal. Thanks to jcrews from #linuxtv in irc, for initially reporting this bug. Signed-off-by: Michael Krufky Signed-off-by: Chris Wright commit fae0ef93df6f6b3ebf9209d4be7112f97405814c Author: Andy Gospodarek Date: Tue Nov 21 11:46:44 2006 -0500 [PATCH] bonding: incorrect bonding state reported via ioctl This is a small fix-up to finish out the work done by Jay Vosburgh to add carrier-state support for bonding devices. The output in /proc/net/bonding/bondX was correct, but when collecting the same info via an iotcl it could still be incorrect. Signed-off-by: Andy Gospodarek Cc: Jeff Garzik Cc: Stephen Hemminger Signed-off-by: Andrew Morton Signed-off-by: Jeff Garzik Signed-off-by: Chris Wright commit 33e57a8e59504540ad5a6070dd1b70493cc68024 Author: Arjan van de Ven Date: Mon Dec 11 21:45:01 2006 +0100 [PATCH] x86-64: Mark rdtsc as sync only for netburst, not for core2 On the Core2 cpus, the rdtsc instruction is not serializing (as defined in the architecture reference since rdtsc exists) and due to the deep speculation of these cores, it's possible that you can observe time go backwards between cores due to this speculation. Since the kernel already deals with this with the SYNC_RDTSC flag, the solution is simple, only assume that the instruction is serializing on family 15... The price one pays for this is a slightly slower gettimeofday (by a dozen or two cycles), but that increase is quite small to pay for a really-going-forward tsc counter. Signed-off-by: Arjan van de Ven Signed-off-by: Andi Kleen Signed-off-by: Chris Wright commit 4ad328ffdcf3d014ff98ff75afcf457387c8bd56 Author: Ulrich Kunitz Date: Sun Dec 10 18:39:28 2006 +0100 [PATCH] ieee80211softmac: Fix mutex_lock at exit of ieee80211_softmac_get_genie ieee80211softmac_wx_get_genie locks the associnfo mutex at function exit. This patch fixes it. The patch is against Linus' tree (commit af1713e0). Signed-off-by: Ulrich Kunitz Signed-off-by: Michael Buesch Signed-off-by: Chris Wright commit 18576724d36745d801988ed56de1062182a0fe02 Author: Hugh Dickins Date: Sun Dec 10 02:18:43 2006 -0800 [PATCH] read_zero_pagealigned() locking fix Ramiro Voicu hits the BUG_ON(!pte_none(*pte)) in zeromap_pte_range: kernel bugzilla 7645. Right: read_zero_pagealigned uses down_read of mmap_sem, but another thread's racing read of /dev/zero, or a normal fault, can easily set that pte again, in between zap_page_range and zeromap_page_range getting there. It's been wrong ever since 2.4.3. The simple fix is to use down_write instead, but that would serialize reads of /dev/zero more than at present: perhaps some app would be badly affected. So instead let zeromap_page_range return the error instead of BUG_ON, and read_zero_pagealigned break to the slower clear_user loop in that case - there's no need to optimize for it. Use -EEXIST for when a pte is found: BUG_ON in mmap_zero (the other user of zeromap_page_range), though it really isn't interesting there. And since mmap_zero wants -EAGAIN for out-of-memory, the zeromaps better return that than -ENOMEM. Signed-off-by: Hugh Dickins Cc: Ramiro Voicu: Cc: Signed-off-by: Andrew Morton Signed-off-by: Chris Wright commit 80355a9d6632081192381bdcc6903d96627f1c1a Author: Herbert Xu Date: Sun Dec 10 11:32:06 2006 +1100 [PATCH] sha512: Fix sha384 block size The SHA384 block size should be 128 bytes, not 96 bytes. This was spotted by Andrew Donofrio. This breaks HMAC which uses the block size during setup and the final calculation. Signed-off-by: Herbert Xu Signed-off-by: Chris Wright commit 43cb0cab8631c2099561dae2cf6ed47c9bd37471 Author: Herbert Xu Date: Sun Dec 10 09:50:36 2006 +1100 [PATCH] dm-crypt: Select CRYPTO_CBC As CBC is the default chaining method for cryptoloop, we should select it from cryptoloop to ease the transition. Spotted by Rene Herman. Signed-off-by: Herbert Xu Signed-off-by: Chris Wright